On Thu, Jun 5, 2014 at 8:41 PM, Peter Trei <petertrei@xxxxxxxxx> wrote: > I've just joined the list. > > I hope to contribute as a developer and architect; I spent 10 years > developing cryptographic products at RSA Security, among other things. Welcome! Right now, development is on GitHub. I can give you rw access if you provide me with your username. > Have we cleared what want to do with a lawyer knowledgeable in the field? Yeah, this needs to happen. I did a tiny bit of research in the last hour and found some information on the subject. The more I read about it, the more important it becomes known to me that we need to give this careful thought and consideration. www.cryptolaw.org seems to have a lot of information. OpenBSD (and thus OpenSSH) are hosted (developed?) in Canada , however, as you mentioned, they have a legal entity backing the project. It seems that a significant number of countries have signed the Wassenaar Arrangement , which places restrictions on exports, including Canada (this confuses me a bit in the case of OpenBSD/SSH). The Wassenaar Arrangement limits the bit size of symmetric and asymmetric exports, but then allows a "personal use" exception (which, to me, could potentially lead to arbitrary and capricious legal decisions). I'm not sure if this affects just where the project is hosted/compiled, or where the developers reside, or both. Going off that website (which is probably a bit outdated), I compiled a list of countries that have *no* restrictions on cryptography export. -Mexico -Brazil (working on laws?) -Peru -Ghana -Kyrgyzstan -Malaysia (has some "decrypt during a legal search" laws) -Uruguay There are a few others, but they had some questionable comments/laws listed. That was just a quick summary of the information I found on the subject. A lawyer needs to be consulted though. I'm not sure how to go about doing that. Actually, I just googled "cryptography lawyer" and found a firm  that has offices in Philadephia and Wilmington (both cities are very close to me).  http://www.openbsd.org/crypto.html  http://www.cryptolaw.org/cls2.htm#Wassenaar  http://www.panitchlaw.com/ > I strongly suggest that someone on this project contact a team with similar > concerns - for example, OpenSSL or OpenSSH, so we can leverage their > experience, or we should talk to the EFF. I don't have strong personal > contacts in those organizations, but perhaps someone else here does. > > A non-anonymous international team developing strong cryptographic products > for general use needs to tread carefully, in today's climate. > > 3. Do we need to post a Warrant Canary? Do we need one for each team member? > Should we add them to emails? Example at > http://www.rsync.net/resources/notices/canary.txt I think Warrant Canaries are essential for each of us. That was a constant source of any general mistrust towards TrueCrypt. > Peter Trei Nice to meet you Peter! And thank you!